132 J. Wei, L C Liu and K.S. Koong 2.1 Layer 1: m-commerce device security The root layer to enable m-commerce security is inherent in all the mobile communication devices because they can become a front-end security tool for m-commerce. Such devices may include, but are not limited to mobile phones, palmtops, handheld computers, and PDAs. For example, the integrated SIM card in mobile phones can be augmented using the private key digital signature of a Public Key Infrastructure (PKI) system. Wireless terminals can also act as security devices for gaining access into buildings by using the Global System for Mobile(GSM) part of the mobile phone or via an authentication mechanism called Bluetooth technology(May, 2002). Based on these front-end setups, the SIM cards can access the gSm network and identify the wireless device to the network. The smartcard operating system can be adapted to run on a SIM chip, which allows GSM communications phones to contain digital signatures and credit card numbers It should be pointed out here that the use of wireless devices to serve as front-end security devices is still at the infant stage of development. First, some of the more common operational uncertainties include altered information, denial of access, interrupted transactions, transmission delays, and power outage. Second, instances of modified electronic signature-signing programmes on mobile devices and stolen or modified smart cards have also been found to exist. Third. an attacker can distribute malicious code. cause denial of service. and reestablish connections without reauthentication due to intermittent service failures and unreliable conditions( Ghosh and Sawinatha, 2000). Fourth, determining where a hacker is from can be a relatively difficult task because an attacker can quickly get on or off-line and not be linked to any specific geographic location(Chess, 1998). Fifth, narrow bandwidth and capacity can force developers to give up security and encryption to simplify the process(vinaja, 2002) astly, there is always the possibility for the loss of the wireless devices and the data in it While it is true that these uncertainties can be overwhelming the good news is there are already some solutions that can be used to enhance security enforcement at this layer. Some of the proven methods include strict authentication protocols, cross-platform agent authentication mechanisms so the server can verify if the agent is coming from a trusted source, password authentication, smartcards or token authentication, and biometric authentication. At the receiving end, memory protection for processes, protected kermel rings, file access control, authentication of principals to resources, differentiated user and process privileges, sandboxes for untrusted code, and biometric authentication can be also added. Put together, this is why user authentication, merchant authentication, secure (encrypted)channels, user-friendly payment schemes supporting micro payments, receipt delivery, and simple user interfaces are critical in the design and development of mobile devices(Thanh, 2000) 2.2 M-commerce language security The second layer concerns language security: that is, those elements dealing with m-commerce security system development. Proven security software applications and tested programme modules are the key to the successful functioning of this layer. The possibility of using a language where all programmes are safe is to develop a 'safe language in which all codes have restricted access to operations that can affect132 J. Wei, L.C. Liu and K.S. Koong 2.1 Layer 1: m-commerce device security The root layer to enable m-commerce security is inherent in all the mobile communication devices because they can become a front-end security tool for m-commerce. Such devices may include, but are not limited to mobile phones, palmtops, handheld computers, and PDAs. For example, the integrated SIM card in mobile phones can be augmented using the private key digital signature of a Public Key Infrastructure (PKI) system. Wireless terminals can also act as security devices for gaining access into buildings by using the Global System for Mobile (GSM) part of the mobile phone or via an authentication mechanism called Bluetooth technology (May, 2002). Based on these front-end setups, the SIM cards can access the GSM network and identify the wireless device to the network. The smartcard operating system can be adapted to run on a SIM chip, which allows GSM communications phones to contain digital signatures and credit card numbers. It should be pointed out here that the use of wireless devices to serve as front-end security devices is still at the infant stage of development. First, some of the more common operational uncertainties include altered information, denial of access, interrupted transactions, transmission delays, and power outage. Second, instances of modified electronic signature-signing programmes on mobile devices and stolen or modified smart cards have also been found to exist. Third, an attacker can distribute malicious code, cause denial of service, and reestablish connections without reauthentication due to intermittent service failures and unreliable conditions (Ghosh and Sawinatha, 2000). Fourth, determining where a hacker is from can be a relatively difficult task because an attacker can quickly get on or off-line and not be linked to any specific geographic location (Chess, 1998). Fifth, narrow bandwidth and capacity can force developers to give up security and encryption to simplify the process (Vinaja, 2002). Lastly, there is always the possibility for the loss of the wireless devices and the data in it. While it is true that these uncertainties can be overwhelming, the good news is there are already some solutions that can be used to enhance security enforcement at this layer. Some of the proven methods include strict authentication protocols, cross-platform agent authentication mechanisms so the server can verify if the agent is coming from a trusted source, password authentication, smartcards or token authentication, and biometric authentication. At the receiving end, memory protection for processes, protected kernel rings, file access control, authentication of principals to resources, differentiated user and process privileges, sandboxes for untrusted code, and biometric authentication can be also added. Put together, this is why user authentication, merchant authentication, secure (encrypted) channels, user-friendly payment schemes supporting micro payments, receipt delivery, and simple user interfaces are critical in the design and development of mobile devices (Thanh, 2000). 2.2 M-commerce language security The second layer concerns language security; that is, those elements dealing with m-commerce security system development. Proven security software applications and tested programme modules are the key to the successful functioning of this layer. The possibility of using a language where all programmes are safe is to develop a ‘safe’ language in which all codes have restricted access to operations that can affect